b'\x0c\x0c           Smithsonian Institution\n           Office of the Inspector General\n\n\n           In Brief                                Human Resources Management System\n                                                   Report Number A-07-06, September 19, 2007\n\n\n\nWhy We Did This Evaluation            What We Found\n\nUnder the Federal Information         HRMS contains sensitive personnel data. Managers throughout the Institution\nSecurity Management Act of 2002       use HRMS to manage core activities such as recruitment, electronic transmittal of\n(FISMA), the Office of the            personnel actions, benefits administration, training, and recording and reporting\nInspector General (OIG) conducts      of workplace incidents and injuries.\nan annual independent\nassessment of the Institution\xe2\x80\x99s       Overall, we concluded that management has done a good job identifying,\ninformation security system. As       documenting, and implementing management, operational, and technical\npart of that assessment, FISMA        controls over HRMS. We did, however, note instances during our testing where\nrequires a review of a subset of      policies and procedures were not being followed. Specifically, we found that:\ninformation systems. This report\ncovers one such system, the           \xc2\x83   Management did not enforce access authorization procedures that require\nHuman Resources Management                approved user access request forms, increasing the risk of individuals being\nSystem (HRMS), and evaluates              granted excessive or unauthorized access to the system and related data.\nHRMS management, operational,\nand technical security controls.      \xc2\x83   Management did not ensure adequate segregation of administrative and\n                                          security functions, particularly duties concerning the review of database logs\n                                          and access restrictions associated with system changes.\n\nWhat We Recommended                   \xc2\x83   Management did not review database logs or monthly compliance reports on\n                                          a consistent basis, increasing the risk that inappropriate or unauthorized\nWe made five recommendations              activities may have occurred without detection.\nto strengthen controls over\nHRMS by enforcing Institution         \xc2\x83   Management did not document the final HRMS baselines and note where\npolicies, procedures, and practices       deviations may have occurred for valid business purposes. As a result,\nover user access request forms,           management cannot ensure that technical controls have been adequately\nsegregation of employee duties,           identified and implemented.\ndatabase logging and monitoring,\nsystem baselines, and                 \xc2\x83   The Institution did not establish proper authorization for the HRMS\ninterconnection agreements.               connection with the National Finance Center, which was outside of the\n                                          accreditation boundary.\nManagement concurred with the\nreport\xe2\x80\x99s findings and                 Without adequate controls in place to enforce Institution policies, procedures,\nrecommendations and has               and practices over HRMS, the confidentiality, availability, and integrity of the\nplanned or taken action that will     system and its related data may be at greater risk than management is willing to\nresolve all recommendations.          accept.\n\n\n\n\n                                      For additional information or a copy of the full report, contact the Office of\n                                      the Inspector General at (202) 633-7050 or visit http://www.si.edu/oig.\n\x0c                            REPORT ON THE AUDIT OF THE\n                                  FISCAL YEAR 2007\n                        HUMAN RESOURCES MANAGEMENT SYSTEM\n                              SMITHSONIAN INSTITUTION\n                          OFFICE OF THE INSPECTOR GENERAL\n\n\n\n\nCotton & Company LLP\nAuditors \xc2\xb7 Advisors\n635 Slaters Lane, 4th Floor\nAlexandria, Virginia 22314\n703.836.6701\nwww.cottoncpa.com\n\n\n\n\n                                        1\n\x0c                                           CONTENTS\n\nSection                                                         Page\nPurpose                                                          3\n\nBackground                                                       3\n\nObjectives, Scope, and Methodology                               4\n\nResults\n   User Access Request Procedures Are Not Implemented             5\n   Segregation of Duty Controls Need Improvement                  6\n   Database Logging and Monitoring Controls Are Inadequate        8\n   Baseline Configurations Are Not Documented                    9\n   Information System Connections Are Not Formally Authorized    10\n\nSummary of Management Response                                   12\n\nOffice of the Inspector General Comments                         12\n\nAppendix \xe2\x80\x93 Management Response                                   13\n\n\n\n\n                                              2\n\x0c                              REPORT ON THE AUDIT OF THE\n                                    FISCAL YEAR 2007\n                          HUMAN RESOURCES MANAGEMENT SYSTEM\n                                SMITHSONIAN INSTITUTION\n                            OFFICE OF THE INSPECTOR GENERAL\n\n\nCotton & Company LLP conducted an audit of the Smithsonian Institution\xe2\x80\x99s security\nmanagement programs and practices to determine the effectiveness of management, operational,\nand technical security controls over the Institution\xe2\x80\x99s Human Resources Management System\n(HRMS).\n\nPURPOSE\n\nThe E-Government Act of 2002 (Pub. L. No. 107-347), which includes Title III, the Federal\nInformation Security Management Act of 2002 (FISMA), was enacted to strengthen the security\nof federal government information systems. Although the E-Government Act of 2002 does not\napply to the Institution, the Institution supports the information security practices required by the\nAct because they are consistent with and advance the Institution\xe2\x80\x99s mission and strategic goals.\n\nFISMA outlines federal information security compliance criteria, including the requirement for an\nannual independent assessment by the Institution\xe2\x80\x99s Inspector General. This report covers the\nevaluation of the HRMS management, operational and technical security controls and supports\nthe Smithsonian Institution Office of the Inspector General (OIG) annual FISMA evaluation of\nthe information security controls implemented by the Institution.\n\nBACKGROUND\n\nFISMA, Office of Management and Budget (OMB) regulations and National Institute of\nStandards and Technology (NIST) guidance outline minimum security requirements for federal\ninformation security programs. These include:\n\n     \xe2\x80\xa2 Recommended Security Controls. NIST\xe2\x80\x99s Recommended Security Controls for Federal\n       Information Systems provides guidelines for selecting and specifying security controls for\n       information systems supporting the executive agencies of the federal government. The\n       guidelines apply to all components of an information system that process, store, or\n       transmit federal information. The guidelines have been developed to help achieve more\n       secure information systems within the federal government. The process of selecting and\n       specifying security controls for an information system includes the organization\xe2\x80\x99s overall\n       approach to managing risk, the security categorization of the system in accordance with\n       Federal Information Processing Standard (FIPS) 199 and the selection of minimum\n       (baseline) security controls, the activities associated with tailoring the baseline security\n       controls through the application of scoping guidance and the assignment of organization-\n       defined parameters, and the potential for supplementing the minimum security controls\n       with additional controls, as necessary, to achieve adequate security.\n\n     \xe2\x80\xa2 Certification and Accreditation. NIST\xe2\x80\x99s Guide for the Security Certification and\n       Accreditation of Federal Information Systems states that systems should be certified and\n       accredited. A certification is \xe2\x80\x9ca comprehensive assessment of the management,\n       operational and technical security controls in an information system, made in support of\n\n                                                  3\n\x0c        security accreditation, to determine the extent to which the controls are implemented\n        correctly, operating as intended, and producing the desired outcome with respect to\n        meeting the security requirements for the system.\xe2\x80\x9d NIST guidance also discusses system\n        accreditation, which is \xe2\x80\x9cthe official management decision given by a senior agency\n        official to authorize operation of an information system and to explicitly accept the risk to\n        agency operations (including mission, functions, image, or reputation), agency assets, or\n        individuals, based on the implementation of an agreed-upon set of security controls.\xe2\x80\x9d\n        Organizations should use the results of the certification to reassess their risks and update\n        system security plans to provide the basis for making security accreditation decisions.\n\n    \xe2\x80\xa2 System Security Plan. NIST\xe2\x80\x99s Guide for Developing Security Plans for Federal\n      Information Systems requires that all major application and general support systems be\n      covered by a security plan. The plan provides an overview of the security requirements of\n      a system and describes controls in place or planned for meeting those requirements.\n      Additionally, the plan defines responsibilities and the expected behavior of all individuals\n      accessing the system. The NIST guide also instructs that the security plan should describe\n      the management, operational, and technical controls the organization has implemented to\n      protect the system. Among other things, these controls include user identification and\n      authentication procedures, contingency/disaster recovery planning, application software\n      maintenance, data validation, and security awareness training.\n\nOBJECTIVES, SCOPE, AND METHODOLOGY\n\nOn behalf of the OIG, Cotton & Company performed an independent audit of HRMS, the\nInstitution\xe2\x80\x99s human resources system. We conducted this audit in accordance with Government\nAuditing Standards, 2007 Revision, as amended, promulgated by the Comptroller General of the\nUnited States. Those standards require that we plan and perform the audit to obtain sufficient,\nappropriate evidence that provides a reasonable basis for our findings and conclusions based on\nour audit objectives. We believe that the evidence obtained provides a reasonable basis for our\nfindings and conclusions based on our audit objectives. This report is intended to meet the\nobjectives described below and should not be used for other purposes.\n\nAs part of the Institution\xe2\x80\x99s Enterprise Resource Planning (ERP) system, HRMS contains sensitive\ninformation that must be protected from unauthorized disclosure. The mission of HRMS is to\nhelp managers at all levels manage human resource information successfully. Managers\nthroughout the Institution use the system to manage core activities including:\n\n    \xe2\x80\xa2   Recruitment\n    \xe2\x80\xa2   Electronic transmittal of personnel actions\n    \xe2\x80\xa2   Benefits administration\n    \xe2\x80\xa2   Training\n    \xe2\x80\xa2   Employee and labor relations\n    \xe2\x80\xa2   Recording and reporting of workplace incidents and injuries\n    \xe2\x80\xa2   Management of relevant Occupational Health and Safety data\n    \xe2\x80\xa2   Competencies, career planning, and succession planning\n\nThe objectives of this independent audit were to evaluate and report on management\xe2\x80\x99s\nidentification, documentation, and implementation of management, operational and technical\nsecurity controls required by NIST Special Publication (SP) 800-53.\n\n                                                 4\n\x0cTo accomplish these objectives, we performed a detailed audit of required controls using\nsuggested audit procedures outlined in NIST\xe2\x80\x99s Draft SP 800-53A. We performed a high-level\nreview of available certification and accreditation (C&A) documentation, including the HRMS:\n\n    \xe2\x80\xa2   System Security Plan\n    \xe2\x80\xa2   Plan of Actions and Milestones\n    \xe2\x80\xa2   Risk Assessment\n    \xe2\x80\xa2   Certification and Accreditation Letters, and\n    \xe2\x80\xa2   Documented NIST SP 800-53 controls\n\nManagement has classified HRMS as a moderate-impact system in accordance with FIPS 199\nStandards for Security Categorization of Federal Information and Information Systems. The\nsystem and its data are sensitive. As a result, we evaluated HRMS general controls from\nNovember 2006 through January 2007 using test procedures for a moderate impact system as\ndefined in NIST\xe2\x80\x99s Draft SP 800-53A Guide for Assessing the Security Controls in Federal\nInformation Systems. Test procedures in SP 800-53A were designed by NIST to test specific\nsecurity controls outlined in NIST SP 800-53 Recommended Security Controls for Federal\nInformation Systems. We tested the controls defined by NIST SP 800-53 for such systems\nthrough interviews, observation, and specific testing procedures where applicable. Examples of\nkey controls tested included:\n\n    \xe2\x80\xa2   Controls over administration of user accounts\n    \xe2\x80\xa2   Controls over application, database, and server changes\n    \xe2\x80\xa2   Controls over segregation of duties within HRMS, and\n    \xe2\x80\xa2   Controls over the logging and monitoring of user activities\n\nRESULTS\n\nOverall, we concluded that management has done a good job identifying, documenting, and\nimplementing management, operational, and technical controls over HRMS. Specifically, we\nnoted that the HRMS C&A process was adequately documented, the Plan of Actions &\nMilestones (POA&M) was effectively maintained, and the HRMS disaster recovery plan had\nbeen adequately tested. We did, however, note some weaknesses during our testing. While\npolicies and procedures have been established, in some instances these policies and procedures\nwere not being followed, which may increase risks beyond what management is willing to accept.\nWe detail these specific control weaknesses below.\n\nUser Access Request Procedures Are Not Implemented\n\nControls are not adequate to ensure that policies and procedures over the use of user access\nrequest forms are implemented. We determined management was not enforcing their documented\naccess authorization procedures that require new user access be requested and approved using the\nHRMS access request form. We selected a sample of 45 HRMS users and requested supporting\naccess request forms and noted that of the 45 users selected, 44 users did not have an access\nrequest form. Upon further review, we noted that the 44 users had supporting emails, but these\nemails did not include all of the information contained in the access request form, such as a\nsignature.\n\n\n\n                                                5\n\x0cHRMS System Security Plan Section AC-2 Account Management states that:\n\n        To access the ERP HRMS system, a user must have an active Novell network\n        logon ID/password and a PeopleSoft / Medgate logon ID/password. Users must\n        submit a written and approved ERP HRMS access request form to the Help Desk\n        to gain access to the system. Access request forms must be signed by the user\xe2\x80\x99s\n        immediate supervisor and Administrative Officer. The supervisor and\n        Administrative Officer are responsible for ensuring that the user\xe2\x80\x99s privileges are\n        appropriate and that proper segregation of duties is maintained. The user\xe2\x80\x99s\n        immediate supervisor is responsible for ensuring that user access privileges are\n        removed in a timely manner.\n\nNIST SP 800-53, Recommended Security Controls for Federal Information Systems (AC Policies\nand Procedures), states that:\n\n        AC-2 Account Management: The organization manages information system\n        accounts, including establishing, activating, modifying, reviewing, disabling, and\n        removing accounts.\n\nNIST SP 800-14, Generally Accepted Principles and Practices for Securing Information\nTechnology Systems, section 3.5.2 (User Administration) under User Account Management states\nthat:\n       Organizations should have a process for (1) requesting, establishing, issuing, and\n       closing user accounts; (2) tracking users and their respective access\n       authorizations; and (3) managing these functions.\n\nInsufficient or ineffective access controls can increase the risk of individuals being granted\nexcessive or unauthorized access to the system and related data, which increases the risk of\ninappropriate disclosure of sensitive data.\n\nRecommendation\n\n    1. We recommend that the Chief Information Officer (CIO) enforce the Institution and\n       HRMS-specific access control policy which requires an approved ERP HRMS access\n       request form be submitted prior to granting new users access to HRMS. In addition, all\n       current users who do not have an approved access request form on file should be required\n       to complete the form.\n\nSegregation of Duty Controls Need Improvement\n\nControls are not adequate to ensure that access within HRMS has been adequately segregated to\nreduce the likelihood of individuals performing inappropriate or unauthorized activities.\nSpecifically, we determined management has not taken adequate steps to ensure the segregation\nof incompatible functions in HRMS. We noted the following weaknesses:\n\n    \xe2\x80\xa2   Review of HRMS Oracle database logs is not performed by an individual independent of\n        administration. Currently, database logs are reviewed by the Oracle database\n        administrator. Best practices dictate that administrative and security functions be\n        segregated to ensure activities performed by individuals with high-level access are\n        independently reviewed.\n                                                 6\n\x0c    \xe2\x80\xa2   HRMS developers have access to the production environment. Specifically, we\n        identified four individuals with access to the development, testing, and\n        production environments in HRMS. We determined that OCIO can grant waivers\n        for these individuals if it is necessary to have access to production to perform\n        their job duties. Through interviews, we determined that these individuals did not\n        have a waiver from OCIO justifying their level of access. NIST and industry best\n        practices require sensitive activities, including the development of changes and\n        movement of changes into production, be segregated to help ensure only\n        authorized changes are introduced into production.\n\nThe HRMS system security plan section AC-5 Separation of Duties states that:\n\n        Examples of separation of duties include: (i) mission functions and distinct\n        information system support functions are divided among different\n        individuals/roles; (ii) different individuals perform information system support\n        functions (e.g., system management, systems programming, quality\n        assurance/testing, configuration management, and network security); and (iii)\n        security personnel who administer access control functions do not administer\n        audit functions.\n\n        Where feasible, programmers who maintain an application should not have access to\n        production data in that system. Programmers must not, in any case, alter data using\n        processes external to the application without documented approval by the system\n        sponsor. In sensitive systems users must not be given privileges that allow them to\n        initiate and approve the same transaction.\n\nIn addition, Technical Note IT-930-TN10 details the procedures on minimizing access to\nproduction software and data, including separation of duties. Section C.ii Separation of Duties\nstates:\n\n        Ensure that application developers and system administrators are not given access to\n        modify production data. If this is required for their official duties, then a waiver must be\n        obtained by OCIO.\n\nFinally, NIST SP 800-53, Recommended Security Controls for Federal Information Systems\n(Policies and Procedures) states:\n\n        CM-5 Access Restrictions for Change: The organization enforces access\n        restrictions associated with changes to the information system.\n\nOur review of the standard HRMS access request form noted that administrative activities and\nsystem support functions were not identified on the access request form. However, during the exit\nconference OCIO provided a revised access request form, which now identifies specific\nfunctions. Although these functions have been identified, not enforcing the concepts of least\nprivilege or separation of duties with regards to the review of database logs and access\nrestrictions associated with HRMS changes increases the risk of inappropriate activities occurring\nwithout management\xe2\x80\x99s knowledge.\n\n\n\n\n                                                 7\n\x0cRecommendation\n\n    2. We recommend that the CIO identify, document, and implement segregation of duty\n       controls for sensitive administrative and system support functions. Management should\n       document in the system security plan those activities that need to be segregated.\n\nDatabase Logging and Monitoring Controls Are Inadequate\n\nControls are not adequate to ensure HRMS database logs are reviewed weekly as required by\nNIST and Institution auditing and logging policies and procedures. Specifically, we determined\nHRMS database logs were not being reviewed on a consistent basis.\n\nWe noted that monthly compliance reports are generated to report auditing and logging activities\nwithin HRMS but are not regularly reviewed. The monthly compliance reports show selected\napplication and database auditing and logging activities that are monitored each month and\nsubmitted to OCIO. Based on our review of the November 2006 report, we noted that database\nlog activities within HRMS were not included.\n\nTechnical Note IT-930-TN03, Auditing & Logging Procedures state:\n\n        Review logs weekly. Audit trails must be reviewed weekly by the Security Group\n        or other authorized individuals who do not administer access to the application\n        and/or system and are not regular users of the system. The Computer Security\n        Manager must review the audit trail monthly and provide a report to OCIO.\n        Anomalies must be reported immediately to appropriate supervisory positions\n        and the Computer Security Manager for follow-up action. After resolution of any\n        abnormalities a formal report of findings must be reported to OCIO.\n\nIn addition, NIST SP 800-53, Recommended Security Controls for Federal Information Systems\n(Access Controls) states:\n\n        AC-13 Supervision & Review \xe2\x80\x93 Access Control: The organization supervises and\n        reviews the activities of users with respect to the enforcement and usage of\n        information system access controls. The organization reviews audit records (e.g.,\n        user activity logs) for inappropriate activities in accordance with organizational\n        procedures. The organization investigates any unusual information system-\n        related activities and periodically reviews changes to access authorizations. The\n        organization reviews more frequently the activities of users with significant\n        information system roles and responsibilities.\n\n        AU-6 Audit Monitoring, Analysis & Reporting: The organization regularly\n        reviews/analyzes information system audit records for indications of\n        inappropriate or unusual activity, investigates suspicious activity or suspected\n        violations, reports findings to appropriate officials, and takes necessary actions.\n        The organization employs automated mechanisms to integrate audit monitoring,\n        analysis, and reporting into an overall process for investigation and response to\n        suspicious activities.\n\nInsufficient or ineffective monitoring of system logs can increase the risk that inappropriate or\nunauthorized activities may occur without management knowledge.\n\n                                                 8\n\x0cRecommendation\n\n       3. We recommend that the CIO enforce Institution policy and procedures requiring the\n          weekly review of logs and monthly submission of appropriately detailed management\n          reports to OCIO.\n\nBaseline Configurations Are Not Documented\n\nControls are not adequate to ensure that differences between the Institution and HRMS baselines\nare documented. Specifically, we noted that while management used OCIO\xe2\x80\x99s standard baseline\ntemplates to install and configure HRMS, management did not document the final baselines and\nnote where deviations may have occurred for valid business purposes.\n\nIn addition, as noted in the FY2006 FISMA evaluation report, 1 OCIO\xe2\x80\x99s standard baselines for\nWindows and Oracle were not adequate to ensure all controls applicable to Windows and Oracle\nsystems were addressed.\n\nNIST SP 800-40, Creating a Patch and Vulnerability Management Program Section 4.3 Using\nStandardized Configurations states that:\n\n           A standard configuration should be defined for each major group of IT resources (e.g.,\n           routers, user workstations, file servers). Organizations should focus standardization\n           efforts on types of IT resources that make up a significant portion of their entire IT\n           resources. Likely candidates for standardization include end user workstations, file\n           servers, and network infrastructure components (e.g., routers, switches). The standard\n           configuration will likely include the following items:\n\n                \xe2\x80\xa2    Hardware type and/or model\n                \xe2\x80\xa2    Operating system version and patch level\n                \xe2\x80\xa2    Major installed applications (version and patch level)\n                \xe2\x80\xa2    Standard configuration settings\n\n           In many cases, these standardized configurations can be maintained centrally, and\n           changes can be propagated to all participating IT resources. An organization that relies on\n           a hardware supplier to place a standard configuration on new computers should\n           coordinate closely with that supplier to ensure that changes, including new patches, are\n           implemented quickly.\n\nIn addition, OCIO Technical Note IT-960-TN16 Baseline and Configuration Management of\nApplication, Database, and Web Servers, dated June 16, 2005 Section D Server Configurations,\npg. 5 states:\n\n\n\n\n1\n    Report on FY 2006 FISMA Audit of the Smithsonian Institution\xe2\x80\x99s Information Security Program, Number A-06-05,\n    April 20, 2007.\n                                                          9\n\x0c        Individual server configuration documents must be maintained for each server by\n        system owners. At a minimum, these documents should contain information such\n        as the server name, location, purpose, Internet Protocol (IP) configurations,\n        application specifics, organizations supported, maintenance schedules, and which\n        baseline document was used to initially build the server.\n\nWithout system-specific documented baselines, management cannot ensure that technical controls\nhave been adequately identified and implemented.\n\nRecommendation\n\n    4. We recommend that the CIO document final baselines for the HRMS operating system\n       and database after determining what Institution-wide baselines will be adopted. In\n       addition, as part of installing the baselines, OCIO should specifically note where\n       suggested security settings have not been implemented for valid business purposes.\n\nInformation System Connections Are Not Formally Authorized\n\nControls are not adequate to ensure that the Smithsonian establishes proper authorization for all\nconnections from the information system to other information systems outside of the accreditation\nboundary and monitors and controls the system interconnections on an ongoing basis.\n\nHRMS has been operating since October 2004 without any formal interconnection agreement\nwith the National Finance Center (NFC). Sensitive privacy data related to personnel and workers\xe2\x80\x99\ncompensation issues is being transferred through the Institution\xe2\x80\x99s connections with NFC. Our\naudit determined that the Institution has an informal Interconnection Security Agreement (ISA)\nbut no Memorandum of Understanding (MOU) with NFC. This issue has been included in the\nPOA&M.\n\nThe Institution\xe2\x80\x99s policy on information system connections requires both an Interconnection\nSecurity Agreement and a Memorandum of Understanding. OCIO Technical Note IT-930-TN22\nSecurity Agreements for Interconnected Systems Section 4A & 4B states that:\n\n        System owners should use NIST SP 800-47, Security Guide for Interconnecting\n        Information Technology Systems, as a guide for planning, establishing,\n        maintaining, and terminating interconnections between SI systems and non-SI\n        systems.\n\n        Prior to connecting the systems the system owner should prepare two documents:\n\n                \xc2\xb0   A MOU defining the responsibilities of the various organizations in\n                    establishing, operating and securing the Interconnection. This\n                    document should not contain technical details. Appendix A of the\n                    Tech Note contains a sample of this document.\n\n                \xc2\xb0   An ISA containing a statement of requirements and the system technical and\n                    security controls required for the interconnection. Appendix B of the Tech\n                    Note contains a sample of this document.\n\n\n\n                                               10\n\x0cNIST SP 800-47 Security Guide for Interconnecting Information Technology Systems, Section 2\nBackground, states that:\n\n       It is critical, therefore, that both parties learn as much as possible about the risks\n       associated with the planned or current interconnection and the security controls that they\n       can implement to mitigate those risks. It also is critical that they establish an agreement\n       between themselves regarding the management, operation, and use of the interconnection\n       and that they formally document this agreement. The agreement should be reviewed and\n       approved by appropriate senior staff from each organization.\n\n       Federal policy requires federal agencies to establish interconnection agreements.\n       Specifically, OMB Circular A-130, Appendix III, requires agencies to obtain written\n       management authorization before connecting their IT systems to other systems, based on\n       an acceptable level of risk. The written authorization should define the rules of behavior\n       and controls that must be maintained for the system interconnection and it should be\n       included in the organization\xe2\x80\x99s system security plan.\n\n       Section 3.5, Step 5: The joint planning team should document an agreement governing\n       the interconnection and the terms under which the organizations will abide by the\n       agreement, based on the team\xe2\x80\x99s review of all relevant technical, security, and\n       administrative issues (Section 3.4 above). Two documents may be developed: an ISA and\n       an MOU/A. Because the ISA and the MOU/A may contain sensitive information, they\n       should be stored in a secure location to protect against theft, damage, or destruction. If\n       copies are stored electronically, they should be protected from unauthorized disclosure or\n       modification. An ISA development guide and sample are provided in Appendix A, and an\n       MOU/A development guide and sample are provided in Appendix B.\n\nWe note that over the past couple of years the Institution has attempted to establish an\ninterconnection agreement with NFC. We were informed that an interconnection agreement\nbetween NFC and the Institution was prepared and OCIO awaits the final signed copies from\nNFC.\n\nRecommendation\n\n   5. We recommend that the CIO formalize the Interconnection Security Agreement and\n      establish the Memorandum of Understanding between the Institution and the National\n      Finance Center of the U.S. Department of Agriculture in accordance with Institution\n      policy and NIST guidance.\n\n\n\n\n                                               11\n\x0cSUMMARY OF MANAGEMENT RESPONSE\n\nManagement\xe2\x80\x99s September 7, 2007, response to our draft report concurred with our findings and\nrecommendations. Management implemented improved user account authorization procedures for\nnew account requests and requests for account changes. By June 2008, OCIO will ensure that all\ncurrent users provide approved access forms. The CIO also agreed to strengthen its controls over\nsegregation of duties as well as database logging and system monitoring by early 2008. In\naddition, OCIO has signed and submitted to the National Finance Center for their signature a\nMemorandum of Understanding and Interconnection Security Agreement. Finally, by April 30,\n2008, OCIO agreed to establish Institution-wide baselines and document any deviations in HRMS\nbaselines.\n\nWe include the full text of management\xe2\x80\x99s response in the Appendix to this report.\n\nOFFICE OF THE INSPECTOR GENERAL COMMENTS\n\nManagement has planned and taken actions that are responsive to our recommendations, and we\nconsider them resolved. Regarding recommendation four, we urge OCIO to establish\nSmithsonian-wide baselines as soon as practicable because of the sensitivity of data contained in\nthe Institution\xe2\x80\x99s systems and the widespread baseline weaknesses that we have identified in our\nFISMA-related reports.\n\nWe appreciate the courtesy and cooperation of Smithsonian representatives during this audit. If\nyou have any questions concerning this report, please call Stuart Metzger or Joan Mockeridge at\n(202) 633-7050.\n\n\n\n\n                                               12\n\x0cAppendix \xe2\x80\x93 Management Response\n\n\n\n\n                                 13\n\x0c14\n\x0c15\n\x0c'